Back to skill
Skillv1.7.0
ClawScan security
Poster Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 8:42 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to be what it says (an AI poster generator) but has several implementation and metadata inconsistencies around API keys and endpoint handling that you should review before installing.
- Guidance
- This skill appears to do poster generation as described, but there are several sloppy/incoherent details you should resolve before use: - The script requires an API key (it reads OFOX_API_KEY or OPENROUTER_API_KEY) but the skill metadata claims no required env vars—ask the author to declare the needed env var(s) explicitly. - The script always POSTs to https://api.ofox.ai even if you supply an OPENROUTER_API_KEY; OpenRouter support is claimed but not implemented in the code. Do not assume a key for one service will be routed correctly. - Error messages reference IMAGE_API_KEY while code checks OFOX_API_KEY/OPENROUTER_API_KEY; this mismatch increases the chance you'll accidentally expose the wrong credential. - If you install/use this skill: provide a minimal-scope image API key, not a broad platform key or credential that grants other access. Prefer creating a dedicated API key with limited permissions and monitor usage/costs. - If you have sensitive secrets, test the script in an isolated environment and inspect network calls (or run it with a harmless test key) before using production keys. - Ask the author to fix metadata (declare required env vars), clarify OpenRouter support (implement switching endpoints or remove claim), and correct error messages. If these issues are unresolved, treat the skill as untrusted for production use.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose (poster generation via Nano Banana Pro, supporting Ofox/OpenRouter) matches the included prompt templates and generation script. However the package metadata declares no required environment variables or credentials while the bundled script clearly needs an image API key. That mismatch between what is declared and what the code needs is inconsistent.
- Instruction Scope
- concernSKILL.md stays within poster-generation scope and instructs running the provided script; it does not instruct broad system access. But the runtime instructions claim automatic Ofox/OpenRouter detection while the script always posts to the Ofox API endpoint. The SKILL.md and script also use different names for the required key (the script reads OFOX_API_KEY or OPENROUTER_API_KEY but prints an error asking to set IMAGE_API_KEY), which is confusing and could cause accidental use of the wrong secret.
- Install Mechanism
- okNo install spec (instruction-only plus a small script). No downloads or archive extraction. This is lower-risk from an installation perspective.
- Credentials
- concernMetadata lists no required environment variables, but scripts expect OFOX_API_KEY or OPENROUTER_API_KEY; error messages reference a different name (IMAGE_API_KEY). Requiring an API key for an image-generation service is reasonable, but the unclear/mismatched env var names and the acceptance of multiple provider keys (without switching endpoints) are disproportionate and risky: a key intended for one service may be sent to a different endpoint.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privilege, does not modify system-wide settings, and has no config path requirements. Autonomous invocation is allowed by default but is not combined with other high-risk flags.